Role based router functionality

ABSTRACT

Configuration of fireball functionality for rooters operating within a multi-router network is contemplated. The firewall functionality configured for one or more of the routers may be based router positioning within the multi-router network. The firewall functionality may be automatically selected according to the router positioning in order to facilitate dynamic and/or adaptive router configuring.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.13/792,016, filed Mar. 9, 2013, which application claims the benefit ofU.S. provisional Application No. 61/712,318 filed Oct. 11, 2012, andU.S. provisional Application No. 61/771,807 filed Mar. 2, 2013, thedisclosures of which are incorporated in their entirety by referenceherein.

TECHNICAL FIELD

The present relates to configuring functionality for routers includedwithin a multi-router network, such as but not necessary limited tofacilitating will role based firewall where firewall functionality isdynamically varied according to router positioning within themulti-router network.

BACKGROUND

A multi-router network may be characterized as a network having aplurality of routers connected together and arranged in a logicalhierarchy. With the launch of new services, such as but not limited tohome security, IP video, Smart Grid, etc., and more consumer devices,such as but not limited to televisions, mobile phones, appliances, etc.,being configured with routers, multi-router networks are becoming moreprevalent. Multi-router networks require multiple routers to communicatewith each other over network links, the establishment of messagingprotocols, hierarchical relationships, address assignments, prefixdelegations, security measures, backup capabilities and a potentialnumber of additional functional capabilities in order to properly andsecurely govern network communications. As the prevalence of suchmulti-router networks continues to grow, one non-limiting aspect of thepresent invention contemplates a need to facilitate configuring routersto operate in such a complex environment.

Without intending to limit the scope of the present invention, and whilenot dispositive of environments where a need may exist to facilitateconfiguring routers, one non-limiting aspect of the present inventionforesees a particular need in facilitating configuration of routersemployed in small office and home office (SoHo) environments. SoHo andsimilar environments may employ routers having off-the-shelf, default,pre-configured and/or consumer-level configurations where thecorresponding routers may be commonly referred to as home InternetProtocol (IP) network (HIPnet) routers. Such pre-configurations maythwart inter-router communications and other operations associated withfacilitating use and/or construction of a multiple-router network.Default firewall and/or network address translator (NAT) setting of suchHIPnet routers may particularly disrupt inter-router communications,particularly communications from one subnet to another. Accordingly, onenon-limiting aspect of the present invention contemplates facilitatingconfiguration of HIPnet or other types of pre-configured routers for usein multi-router networks.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a role based router system in accordance with onenon-limiting aspect of the present invention.

FIG. 2 illustrates a router having role based features in accordancewith one non-limiting aspect of the present invention.

FIG. 3 illustrates a flowchart for a method of facilitating role basedrouter functionality in accordance with one non-limiting aspect of thepresent invention.

DETAILED DESCRIPTION

As required, detailed embodiments of the present invention are disclosedherein; however, it is to be understood that the disclosed embodimentsare merely exemplary of the invention that may be embodied in variousand alternative forms. The figures are not necessarily to scale; somefeatures may be exaggerated or minimized to show details of particularcomponents. Therefore, specific structural and functional detailsdisclosed herein are not to be interpreted as limiting, but merely as arepresentative basis for teaching one skilled in the art to variouslyemploy the present invention.

FIG. 1 illustrates a role based router system 10 in accordance with onenon-limiting aspect of the present invention. The system 10 illustratesone exemplary configuration where a delegating router 12 associated withan outside network 14 provides a prefix 16 (first prefix) to arequesting router 18 for delegation within an inside network 20. Theprefix 16 may be any suitable addressing prefix, such as but notnecessarily limited to an Internet Protocol version 6 (IPv6) prefix andan Internet Protocol version 4 (IPv4) prefix. The present invention ispredominantly described with respect to use of IPv6 without necessarilyintending to limit the scope of the present invention. Dynamic HostConfiguration Protocol (DHCP), such as that described in InternetEngineering Task Force (IETF) request for comment (RFC) 2131, 3315 and3633, the disclosures of which are hereby incorporated by reference intheir entireties, or other suitable delegation processes may be employedto facilitate delegating the first prefix to the requesting router 18.The requesting router 18 may be configured to facilitate adaptivelydelegating the first prefix 16 to additional routers associated with theinside network 20, such as in the manner described in U.S. patentapplication Ser. No. 13/783,242, the disclosure of which is herebyincorporated by reference in its entirety.

The outside network 14 and the inside network 20 demonstrate oneexemplary, non-limiting use of the present invention where a multiplesystem operator (MSO), Internet service provider (ISP) or other type ofservice provider is allocated a prefix or addressing domain by asuitable addressing entity to facilitate Internet-based messaging orother network-based messaging. The inside network 20 is shown to bedistinguished from the outside network 14 to demonstrated one use casewhere an MSO may be tasked with facilitating messaging for a pluralityof inside networks, such as but not necessarily limited to home networksor other internal networks associated with its subscribers. While onlyone inside network 20 is illustrated, the MSO may be responsible forfacilitating prefix delegation with any number of inside networks orother downstream connected networks. The requesting router 18, which maybe periodically referred to herein as a customer edge router (CER) oredge router (ER) where routers connected downstream may be periodicallyreferred to herein as internal routers (IRs). Optionally, the ER, IRsand/or devices may be configured to receive multiple prefixes, such asin the manner described in U.S. patent application Ser. No. 13/754,954,the disclosure of which is hereby incorporated by reference in itsentirety.

A five layer architecture is shown to correspond with a first layerhaving the ER, a second layer having one or more IRs connected directlyto the ER, a third layer having one or more IRs and/or devices connectedto one of the second layer IRs, a fourth layer having one or more IRsand/or devices connected to one of the third layer IRs, and a fourthlayer having one or more devices connected to one of the fourth layerIRs. The IRs and/or devices are shown to be connected to a singleupstream ER or IRs as such devices may be configured to listen to nomore than one delegating router/device on a link (solid lines) in orderto comply with DHCP requirements. The single-connection of eachcomponent is shown for exemplary non-limiting purposes as the presentinvention fully contemplates the inside network having any number ofconfigurations and interconnections between the ER, IRs and/or devices.The interconnections between the ER, IRs and devices are shown tocorrespond with wireline connections but may be similarly interconnectedusing wireless, radio frequency (RF), Bluetooth or other wireless typesof links. One non-limiting aspect of the present invention contemplatesthe ER and/or the IRs being HIPnet routers or other consumer-levelrouters having off-the-shelf, default, pre-configured and/orconsumer-level configurations.

In the event HIPnet routers, or other similarly pre-configured routers,interconnect to form the inside network, the inside network may beconsidered as a multi-router network or a SoHo network. One non-limitingaspect of the present invention contemplates a need to facilitateconfiguring capabilities and/or functionality of such routers to supportinter-router communications within the multi-router network, includingwhen such routers are deployed by network novices or other individualslacking ability or desire to program, adjust or otherwise manipulatingrouter functionality to communicate with each other over network linksand/or to establish messaging protocols, hierarchical relationships,address assignments, prefix delegations, security measures, backupcapabilities and a potential number of additional functionalcapabilities desired to properly and securely govern networkcommunications. One non-limiting aspect of the present inventioncontemplates a role based router feature, such as but not necessarylimited to a computer program product, having capabilities toautomatically, adaptively and/or dynamically facilitate selection ofdesirable router functionality. The computer program product may beembedded in a non-transitory computer readable medium storinginstructions, which when operable with a processor or other logicallyexecuting device, are sufficient for configuring router functionality.

FIG. 2 illustrates an exemplary router 32 deployed within the system 10having role based features 32 in accordance with one non-limiting aspectof the present invention. The role based features 32 are shown tocorrespond with a functionality module 34, a position detection module36 and a security profile selection module 38, although otherconfigurations and/or modules may be included without deviating from thescope and contemplation of the present invention. The modules 34, 36, 38may be associated with a processor (not shown) to facilitate executingoperations according to instructions stored in a computer-readablemedium (not shown) or the modules 34, 36, 38 may be otherwise associatedwith the router 30 to facilitate the contemplated operations.Optionally, the modules 34, 36, 38 may be part of or embodied in acomputer program product installable on the router 30 prior todeployment, downloaded thereto as part of the DHCP provisioning or otherprovisioning associated within initially providing internet access oraccess to other provider services, and/or included within a controlleroperable within the multi-router network 20 to facilitate routerprovisioning and functionality limitation. The modules 34, 36, 38 and/orother logically executing features contemplated by the present inventionmay be used facilitate automatically configuring functionality of therouters 30 deployed in the multi-router network 20 to automatically,adaptively and/or dynamically facilitate selection of desirable routerfunctionality.

The router 30 shown to include one or more of up interfaces 40 and oneor more down interfaces 42. The router 30 may be a directionless routerhaving a plurality of receptacles configured to facilitate connection tocables or other wired communication mediums used to communicate signalsbetween other routers 30 within the multi-router network and/or wirelessinterfaces to perform some operations. The interfaces 34, 36, 38 may beadaptively assigned to an up direction and a down direction depending onpositioning of the corresponding router within the multi-router network20. The router 30 may include a directional processing feature (notshown), such as but not necessary limited to that described in U.S.patent application Ser. No. 13/792,023, entitled InterfaceDirectionality Assignment, filed Mar. 9, 2013, the disclosure of whichis hereby incorporated by reference in its entirety, to facilitateassigning up/down directionality to each of the interfaces 34, 36, 38.While not intending to limit the scope and contemplation of the presentinvention and/or the positioning or hierarchical relevance of thecorresponding router, the up interface(s) 40 may be associated with orcharacterize as a wide area network (WAN) interface and the downinterface(s) 42 may be associated with or characterize as a local areanetwork (LAN) interface. The router 30 may be configured to routemessages, signaling and other information between the up interface(s) 40and the down interface(s) 42, with signaling traveling in a downstreamdirection from the up interface(s) 40 to the down interface(s) 42 andupstream direction from the down interface(s) 42 to the up interface(s)40.

The signaling traveling between the up interface(s) 40 and the downinterface(s) 42 may be processed according to functionality associatedwith the router 30. For exemplary non-limiting purposes, thefunctionality is illustrated with respect to a firewall. The firewallmay be part of a functionality controller 34 configured to process,control and otherwise manipulate data packets (messages, signaling,etc.) passed between the interfaces. The firewall may be configured toblock, transmit, process or otherwise manipulate signaling between theup interface(s) 40 in the down interface(s) 42 according to varioussettings and configurations. The firewall demonstrates one use of thepresent invention to facilitate automatically configuring firewallfunctionality according to various parameters associated with themulti-router network 20. Optionally, the firewall functionality may beselected according to a logical positioning of the corresponding router30 within the multi-router network 20 in order to ensure desiredinter-router communications and network security. While the firewall isillustrated, the present invention is not necessary limited toconfiguring firewall functionality and fully contemplates configuringother router functionality, including that described below in moredetail. Configuring firewall functionality is believed to beparticularly beneficial at least in that HIPnet routers or otherpre-configured routers may include default or pre-set firewallfunctionality that can prevent desirable inter-router communications ifnot properly adjusted upon router deployment within the multi-routernetwork.

The firewall may be considered as a stateful firewall, such as thatdescribed in RFC 6092, the disclosure of which is hereby incorporated byreference in its entirety. The stateful firewall may facilitate statefulpacket inspection (SPI) to selectively inspect and permit or denytransmission therethrough of packets or other information data typesdepending on state of network connections, content, addresses and/orother information illustrative of the corresponding source/destinationor otherwise reflective of the data transmission. The inspectedinformation may be compared against a permitted set of information,database, signatures or other filtering related parameters to assesswhether passage should be granted. The firewall may be deployed in a“default” state where packets other than those associated with anoutgoing communication, i.e., a communication initiated from the routerto an upstream device and/or router are blocked. The blocking ofnon-outgoing or upstream originating signaling may effectively preventcommunications between routers (ER, IRs) and/or devices connected withinthe SoHo network (multi-router network) 20, including those connected todifferent subnets or links. This inability to support inter-routercommunications “out of the box” can be particularly problematic toconsumers attempting to use routers, devices having routers and/ordevices within a multi-router network.

The firewall may be operable between an enabled state where statefulprotection blocks all but upstream originating signaling and a disabledstate where all signaling, including upstream originating signaling, ispermitted, such as by turning “off” the firewall protection. Onenon-limiting aspect of the present invention contemplates the positiondetection module 36 determining a positioning of the router 30 withinthe multi-router network 20 and selectively enabling and disabling thestateful firewall depending on the determined position. This may includethe security profiles selection module 38 having a set of rules forspecifying enablement/disablement of the firewall and/or otherfunctionality of the router 30 according to its determined position. Thesecurity profile selection module 38 may include an edge securityprofile, an internal security profile or other position based profiles.The profiles may define a corresponding set of instructions, commands orother controls sufficient to achieve the desired functionality settings.Optionally, the instructions, etc., associated with the securityprofiles may be stored on the router 30 as a part of the computerprogram product, application, software or other control mechanism of therouter 30. The present invention is predominantly described with respectto the security profiles defining edge instructions and internalinstructions for dictating functionality depending on whether the router30 is characterized as an ER or an IR without intending to limit thescope and contemplation of the present invention as other positionalcharacterizations are contemplated.

The positioning detection module 36 may be configured to determinepositioning of the router or its role within the multi-router network,i.e., whether the router is an ER or an IR, as a function of messagingand/or addressing associated with assigning the router an address and/ora prefix. The role may be determined by performing a “48 check”, aDHCPv6 CER-ID option and/or another type positional determination, suchas but not limited to a physical determination. The “48 check” maycorrespond with the position detection module 36 comparing the first 48bits of the assigned IA_NA to the first 48 bits of the assigned IA_PDsuch that the router is determined to be an IR if the first 48 bits ofeach match and an ER if the first 48 bits fail to match. For example, ifIA_NA/SLAAC is in a different /48 from the IA_PD, the router may bedetermined to be an ER, and if IA_NA/SLAAC is in the same /48 as itsIA_PD, the router may be determined to be and IR.

The DHCPv6 CER-ID option may correspond with the position detectionmodule 36 e utilizing a DHCPv6 option to identify whether the router isan ER, and if not then determining the router to be an IR. The DHCPv6option may operate on the assumption that an ER sets a CER_ID (DHCPv6option) to the IPv6 address of its LAN interface. If it has more thanone LAN IPv6 address, it selects one of its LAN or loopback IPv6addresses to be used in the CER_ID. An ISP server does not respond withthe CER_ID or sets the CER_ID to ::, whereby receipt of such a responseindicates to the router is an ER and the failure to receive such aresponse indicates the router is an IR. In more detail, a DHCPv6 clientmay be configured to include the CER Identification option code in anOption Request option in its DHCP Solicit messages. The DHCPv6 server(delegating router) may include the CER Identification option in anyresponse it sends to a client (requesting router) that has included theCER Identification option code in an Option Request option. The CERIdentification option may be sent in the main body of the message toclient, not as a sub-option in, e.g., an IA_NA, IA_TA option. Whensending the CER Identification option, the DHCPv6 server (delegatingrouter) may set the CER_ID value to either one of its IPv6 addresses or::. If a device (router) does not receive the CER Identification Optionor receives a CER_ID of :: from the DHCPv6 server, it may include one ofits Globally Unique IPv6 address(es) in the CER_ID value in response toDHCPv6 messages received by its DHCPv6 server that contains the CERIdentification option code in an Option Request option. If the devicehas only one LAN interface, it may use its LAN IPv6 address as theCER_ID value. If the device has more than one LAN interface, it may usethe lowest Globally Unique address not assigned to its WAN interface.

The physical determination may be based on some routers 30 having aphysical differentiator built into them by design that will indicatethat they are a ER. Examples include mobile routers, DSL routers, andcable eRouters. In the case of a mobile router, the presence of anactive cellular connection indicates that the router 30 is at thecustomer edge Likewise, for an eRouter, the presence of an active DOCSISlink tells the router that it is at the customer edge. HIPnet routersand others may use more than one of the above techniques in combinationto determine the edge. For example, an internal router may check for theCER_ID option, but may also use the 48 check in case its upstream routerdoes not support CER_ID.

In addition to the foregoing positional determination mechanisms, thepresent invention fully contemplates the use of other processes and/orfeatures for routers 30 to determine the relative positioning within thelogical hierarchy of a multi-router network 20. While contemplated, thepositioning or hierarchical relevance of each router 30 may bedetermined without use of a routing protocol, such as RoutingInformation Protocol (RIP) and the Open-Shortest-Path-First protocol(OSPF), the disclosures of which are hereby incorporated by reference.The routing protocol may correspond with routing tables and otherinformation provided to the router 30 to facilitate determining therelative position within the multi-router network. The routing tablesmay define routes between each one or more of the routers (ER, IRs)and/or known to the routers such that the receiving router 30 is thenresponsible for comparing the tables to determine its relativepositioning. The capability of the present invention to facilitatepositional determinations without use of such routing protocols may beadvantageous with routers 30 that may not be configured withcapabilities to process such routing tables, within environments whereit may be difficult or impossible to provide desired routing tables tothe routers 30 and/or to facilitate implementation of the contemplatedrole based router functionality selection without having to update orcomply with routing protocol requirements.

While the foregoing utilizes positional determinations to facilitateselectively enabling and disabling firewall functionality, the presentinvention fully contemplates using positional determinations tofacilitate implementing additional functionality in addition to or inplace of the firewall functionality according to other rules orinstructions set forth in a corresponding one of the security profiles.The router 30, for example, may be configured with a default or pre-setnetwork address translator (NAT) parameter, particularly if the routeris and IPv4 router or a dual stack router, i.e., a router having IPv4and IPv6 capability, whereby the default setting of the NAT parametermay thwart desired inter-router communications. The NAT parameters,similarly to the firewall parameter, may be set according to securityprofile roles depending on whether the corresponding router is and ER orand IR, e.g., the NAT may be disabled when the router 30 is an IR andenable when the router is an ER. Additional role based policies mayinclude:

An ER rule denying incoming traffic on its WAN interface 40 (exceptDHCP, Neighbor Discovery, ICMP, or pre-established TCP, UDP, ormulticast streams, which may be subscriber selectable);

An ER rule blocking outgoing Port Control Protocol (PCP) and UPnP IGDmessages on its WAN interface 40, except for a default list (e.g.peer-to-peer, SIP/VoIP, gaming, and http), which may be subscriberselectable;

An ER rule blocking site-scoped multicast messages from being sent tothe WAN 40, while IRs forward site-scoped multicast messages out allinterfaces 40, 42 (optionally, provided they pass a Reverse PathForwarding check);

An IR rule enabling full support for PCP MAP messages. That is, the IRserves as a PCP server for all MAP messages, not just a limited subset;

An IR rule enabling operation as a UPnP/PCP gateway;

An IR rule enabling “Simple Security”, such as that described in RFC6092;

An IR rule enabling “Advanced Security”, such as that described inI-D.vyncke-advanced-ipv6-security, the disclosure of which is herebyincorporated by reference in its entirety, which may optional provideIntrusion Detection/Intrusion Protection; and/or

A special IR connecting rule enabling a “medium trust” network (e.g.SmartGrid) to filter PCP messages from the inside network to the specialsecurity zone network. The special security zone can be identified byULA address space not used in the internal network.

Within the illustrated multi-router network 20, it may desirable for therouters 30 to be equipped with stateful firewall capabilities. Suchrouters may provide “on by default” security where incoming traffic islimited to return traffic resulting from outgoing packets. It may alsobe desirable to allow users to create inbound ‘pinholes’ for specificpurposes, such as online gaming, manually similar to those described inSimple Security. “Advanced Security” features optionally may be used tosupport the concept of end-to-end IPv6 reachability and could be addedto provide intrusion detection (IDS/IPS) support. Local NetworkProtection for IPv6 (RFC4864), the disclosure of which is herebyincorporated by reference in its entirety, may be used to facilitatefirewall functions that replace NAT security and calls for simplesecurity. The present invention recommends that the ER enable a firewallby default and that IRs have at least one of the three options describedbelow:

IR Firewall Option 1—Filtering Disabled: Once a home router determinesthat it is not the CER, it disables its firewall and allows all trafficto pass. The advantages of this approach is simple and easy totroubleshoot and it facilitates whole-home service discovery and mediasharing. The disadvantages are that it does not protect home devicesfrom each other (e.g. infected machines could affect entire homenetwork).

IR Firewall Option 2—Simple Security+PCP: Home routers may have astateful firewall on by default, regardless of CER/IR status but IRsallow “pin-holing” using PCP I-D.ietf-pcp-base, the disclosure of whichis hereby incorporated by reference in its entirety. CERs can restrictopening PCP pinholes on the up interface. The advantages of thisapproach may be that it protects the home network from internal threatsin other LAN segments and it mirrors legacy IPv4 router behavior. Thedisadvantages to this approach may be that it is less predictable; itrelies on application “pin-holing”, a “default deny” rule that mayinterfere with service discovery and/or content sharing, and requiresPCP clients (e.g. on PCs and CPE devices).

IR Firewall Option 3—Advanced Security: Once a home router determinesthat it is not the CER, it may disable its stateful firewall andactivate a firewall (IPS). The advantages to this approach may be thatit protects the home network from internal threats in other segments andis more predictable than Option 2, since internal traffic is allowed bydefault. The disadvantages may be that adaptive filtering is morecomplex than static filtering and may require a “fingerprint”subscription to work well.

Of course, while the foregoing describes recommended router behavior,device manufacturers and/or software providers may leverage thecapabilities of the present invention to facilitate role based routerfunctionality implementation, optionally according to positionaldeterminations, to specify additional security profiles and to makerouter security options user configurable.

FIG. 3 illustrates a flowchart 50 for a method of facilitating rolebased router functionality in accordance with one non-limiting aspect ofthe present invention. The method may be used to facilitateautomatically configuring routers deployed within a multi-router networkor other logical hierarchy defined by physical and/or wirelessconnectivity according to the roles played by each router. The method ispredominantly described with respect to the router roles being based onrelative router positioning, which for exemplary non-limiting purposesis assumed to correspond with one of an internal position and an edgeposition. The internal position is characterized as the correspondingrouter being an IR having a wireline or wireless upstream connectioneither directly to an ER or another IR. The edge position ischaracterized as the corresponding router being an ER having a wirelineor wireless upstream connection to a router outside of the multi-routernetwork, such as that associated with an ISP, MSO or other serviceprovider (e.g. a cable, satellite or broadcast television serviceprovider; a cellular phone service provider, a voice over Internetprotocol (VoIP) service provider; a content streaming/downloadingsource; etc.).

Blocks 52, 54 relates to determining router positioning. The routers mayindividually determine router positioning upon being connected withinthe multi-router network. The router positioning, for example, may bedetermined as a function of addressing or other messaging informationprovided to the connecting router upon establishing a connection withinthe multi-router network. Optionally, the routers may be instructed asto the relative positioning by a controller, network administrator orother features associated with the multi-router network. Onenon-limiting aspect the present invention contemplates the routersindividually determining router positioning by comparing addressingbits, such as that associated with an IA_NA and IA_PD provided theretoand/or as a function of a CER_ID option. The router positioningdetermination may not necessarily be dispositive of the routers positionrelative to other similarly characterize routers, i.e., the routerpositioning inquiry may simply confirm whether the router is an ER or anIR. Once the router determines itself to be an IR, and whilecontemplated to do so, additional determinations regarding the router' spositioning relative to other IRs need not be performed, which can bebeneficial in ameliorating processing demands on the router.

Block 56 relates to configuring IR role based router functionality forthe router after the router positioning determines the router to be anIR. The IR role based router functionality may be implemented accordingto an internal security profile stored on the router and/or providedthereto. The internal security profile may include roles, instructions,commands and/or other information associated with facilitating automaticconfiguration of the router according to desired role basedfunctionality. The internal security profiles may specify a plurality ofinternal instructions sufficient for automatically controlling therouter to implement the desired functionality, such as to facilitatesetting firewall, NAT and/or other capabilities of the router withoutrequiring corresponding user interaction or programming of the router.Optionally, the configuring the IR role based functionality may includedirecting implementation of multiple functional capabilities accordingto a plurality of internal rules and/or profiles associated with the IRpositioning determinations, which be beneficial to facilitateimplementing non-security and/or non-networking parameters for therouter.

Block 58 relates to determining a positional change in the IR. Thepositional change may corresponding with a role of the router changingwith the home network, such as in the event the router changes from anIR to an ER and/or if the router changes IR positions from one portionor subnet to another portion of subnet of the multi-router network.While the particular IR router positioning or subnet need notnecessarily be determined, in the event certain internal router profilesare provided for certain portions or subnets (e.g. to set differentsecurity parameters for certain portions of the network), such adetermination may be implemented in order to implement correspondinglyspecific role based functionality. The router may also change from an IRcharacterization to an ER characterization in the event multi-homingoccurs, the previously determined ER fails or requires temporary use ofone of the IRs for backup, a change in hierarchical relationship isimplemented and/or a connection of the IR not available to a previouslydetermined ER is required to facilitate communications. In the eventthese or other positional changes are determined, Block may be returnedto facilitate implementation of corresponding role based functionality.

Block 60 relates to determining the router to be in the edge positionand assessing whether additional edge positioned routers are activewithin the multi-router network. The assessment of Block 60 may be anoptional step to check whether the prefix delegation processing and/oraddressing assignment properly constructed the multi-router network toinclude a single ER or at least a single ER for the type of services,network, etc. being performed with the router attempting to implementrole based functionality (e.g., the multi-router network may havevirtual networks, tunnels, etc. that allow the use of multiple ERs forthe corresponding services). Block 62 is reached in the event multipleedge positioned routers are determined to be in conflict to facilitategenerating an error message or implementing other corrective action. Inthe event the multi-router network prevents multiple routers from beingcharacterized as edge positioned and/or the router is unable to makesuch an assessment (e.g., the router may be unable to make such anassessment without utilizing router protocols), Block 60 may be bypassedin favor of directly proceeding to Block 64.

Block 64 relates to configuring IR role based router functionality forthe router after the router positioning determines the router to be anER. The ER role based router functionality may be implemented accordingto an edge security profile stored on the router and/or providedthereto. The edge security profile may include roles, instructions,commands and/or other information associated with facilitating automaticconfiguration of the router according to desired role basedfunctionality. The edge security profiles may specify a plurality ofedge instructions sufficient for automatically controlling the router toimplement the desired functionality, such as to facilitate settingfirewall, NAT and/or other capabilities of the router without requiringcorresponding user interaction or programming of the router. Optionally,the configuring the IR role based functionality may include directingimplementation of multiple functional capabilities according to aplurality of edge rules and/or profiles associated with the ERpositioning determinations, which be beneficial to facilitateimplementing non-security and/or non-networking parameters for therouter. Block 66 relates to performing a positional change assessmentfor the ER similar to the manner described in Block 58.

As supported above, one non-limiting aspect of the present inventioncontemplates facilitating firewall functionality on a home router thatchanges based on the role played by the router (e.g. whether it is atthe customer edge or internal to the network). The process iscontemplated by the present invention may be beneficial in providingsecurity throughout the home network, while providing extra protectionat the edge. This may enable enhanced communication within the home,while also securing the home from unwanted attack.

While exemplary embodiments are described above, it is not intended thatthese embodiments describe all possible forms of the invention. Rather,the words used in the specification are words of description rather thanlimitation, and it is understood that various changes may be madewithout departing from the spirit and scope of the invention.Additionally, the features of various implementing embodiments may becombined to form further embodiments of the invention.

What is claimed is:
 1. A method for automatically configuring firewallfunctionality within a multi-router network, the multi-router networkincluding a plurality of routers arranged in a logical hierarchy, themethod comprising: automatically determining a first position within thelogical hierarchy for a first router of the plurality of routers, thefirst position being one of a plurality of positions defined within themulti-router network according to connections between the plurality ofrouters; and automatically configuring firewall functionality for thefirst router as a function of the first position.
 2. The method claim 1further comprising determining the first position to be one of an edgeposition and an internal position, the edge position and the internalposition being defined within the plurality of positions, the edgeposition defining the first router as an edge router (ER) within themulti-router network and the internal position defining the first routeras an internal router (IR) within the multi-router network.
 3. Themethod of claim 2 further comprising determining the first positionautomatically from addressing related information communicated to thefirst router over the multi-router network.
 4. The method claim 2further comprising configuring the firewall functionality for the firstrouter according to an edge security profile if the first router isdetermined to be in the edge position and according to an internalsecurity profile if the first router is determined to be in the internalposition.
 5. The method of claim 4 further comprising: determining thefirst router to have moved from the first position to a second position,the first position being associated with the edge position and thesecond position being associated with the internal position;re-configuring firewall functionality for the first router from the edgesecurity profile to the internal security profile after determining thefirst router to have moved from the first position to the secondposition.
 6. The method claim 4 further comprising: configuring thefirewall functionality for the first router according to the edgesecurity profile by configuring the first router to implement one ofmore edge security rules, the edge security rules being specified withinthe edge security profile; and configuring the firewall functionalityfor the first router according to the internal security profile byconfiguring the first router to implement one of more internal securityrules, the internal security rules being specified within the internalsecurity profile.
 7. The method of claim 6 further comprising definingone or more of the edge security rules to include: a first edge rule fordenying most incoming traffic on an up interface except for DHCP,Neighbor Discovery, ICMP, or pre-established TCP, UDP, and/or multicaststreams; a second edge rule for blocking outgoing Port Control Protocol(PCP) and UPnP IGD messages on the up interface, except for a defaultlist for peer-to-peer, SIP/VoIP, gaming, and/or http; a third edge rulesfor blocking site-scoped multicast messages from being sent to the upinterface, while IRs forward site-scoped multicast messages passing aReverse Path Forwarding check out all interfaces.
 8. The method of claim6 further comprising defining one or more of the internal security rulesto include: a first internal rule for enabling the first router to actas a UPnP/PCP gateway; a second internal rule for enabling simplesecurity; a third internal rule for providing intrusion detection and/orintrusion protection; and a fourth internal rule for filtering PCPmessages from the multi-router network to a special security zonenetwork.
 9. The method of claim 6 further comprising defining at leastone of: defining a majority of the edge security rules to be differentfrom the internal security rules; and defining all of the edge securityrules to be different from the internal security rules.
 10. The methodof claim 2 further comprising configuring firewall functionality for thefirst router according to edge instructions associated with the edgesecurity profile and internal instructions associated with the internalsecurity profile, both of the edge instructions and the internalinstructions being stored within a memory of the first router.
 11. Themethod of claim 2 further comprising configuring the firewallfunctionality for the first router by one of enabling and disabling astateful firewall of the first router, including enabling the statefulfirewall if the first router is determined to be in the edge positionand disabling the stateful firewall if the router is determined to be inthe internal position.
 12. The method of claim 2 further comprisingconfiguring the firewall functionality for the first router by one ofenabling and disabling a network address translator (NAT) of the firstrouter, including enabling the NAT if the first router is determined tobe in the edge position and disabling the NAT if the router isdetermined to be in the internal position.
 13. The method of claim 2further comprising: automatically determining a second position withinthe logical hierarchy for a second router of the plurality of routers,the second position being one of a plurality of positions defined withinthe multi-router network according to connections between the pluralityof routers; determining the second position to be one of the edgeposition and the internal position; automatically configuring firewallfunctionality for the second router as a function of the secondposition, including configuring the firewall functionality for thesecond router according to the edge security profile if the secondrouter is determined to be in the edge position and according to theinternal security profile if the second router is determined to be inthe internal position.
 14. The method of claim 13 further comprising:preventing configuring firewall functionality for the first router andthe second router in the event both of the first router and the secondrouter are determined to be in the edge position; permitting configuringfirewall functionality for the first router and the second router in theevent both of the first router and the second router are determined tobe in the internal position; and permitting configuring firewallfunctionality for the first router and the second router in the eventone of the first router and the second router is determined to be in theedge position and the other one of the first router and the secondrouter is determined to be in the internal position.
 15. A computerprogram product embedded in a non-transitory computer readable medium,the medium storing instructions sufficient for use with a processor tofacilitate configuring firewall functionality for routers, the mediumincluding instructions sufficient for: determining router positioningwithin a logical hierarchy of a multi-router network comprised ofplurality of routers, the router positioning being determined to be oneof an edge position and an internal position; and configuring use offirewall functionality according to an edge security profile when routerpositioning is determined to be the edge position and according to aninternal security profile when router positioning is determined to bethe internal position.
 16. The computer program product of claim 15wherein the medium includes instructions sufficient for enablingstateful firewall functionality if the router positioning correspondswith the edge position and for disabling stateful firewall functionalityif the router positioning corresponds with the internal position. 17.The computer program product of claim 15 wherein the medium includesinstructions sufficient for selecting at least one of a plurality offirewall functionality options defined within the internal securityprofile, the internal security profile including at least the followingfirewall functionality options: disabling filtering; implementing simplesecurity and PCP; and implementing advanced security.
 18. The computerprogram product of claim 15 wherein the medium includes instructionssufficient for determining router positioning as a function of messagingrouted over the multi-router network without use of routing tablesassociated with a routing protocol.
 19. A router comprising: a pluralityof interfaces configured for routing data packets, including at leastone up interface and at least one down interface; a position detectionmodule configured to detect a position of the router within amulti-router network; a profile selection module configured to selectiona functionality profile from a plurality of functionality profiles basedon the position determined with the position detection module; and afunctionality controller configured to control packet passage betweenthe interfaces according to the functionality profile selected with theprofile selection module.
 20. The router of claim 19 wherein: theposition detection module is configured for determining the position tobe one of an edge position and an internal position, the edge positiondefining the first router as an edge router (ER) within the multi-routernetwork and the internal position defining the first router as aninternal router (IR) within the multi-router network; and the profileselection module includes an edge profile and an internal profile, theedge profile for use with the functionality controller if the positionis determined to be in the edge position and the internal securityprofile for use with the functionality controller if the position isdetermined to be in the internal position.